2009/10/07

By now, hopefully everyone has heard of the security breach where accounts and passwords were found on a public site listed the account usernames and passwords of some 10,000 users. Initially it was just reported to be Hotmail/Live.com/MSN, but it turns out Yahoo!, Earthlink, GMail, and others were also affected. The attackers got at the information using phishing attacks, so it wasn't a breach of any of the sites themselves. Still, it meant someone was in possession of that account information, and that is in an issue for the folks affected. And since the list only had names starting with the letters A and B, there's surely a whole lot more than 10,000 affected.

Since the list was publically available, a security researcher was able to grab it before it was pulled offline. And what was found wasn't surprising, but it shows we still have a long way to go with respect to educating folks about online security. Here are some of the details the report contains:

The password "123456" was the most common, occuring 64 times.

Almost 2,000 of the 10,000 passwords were only 6 characters in length.

Most of the top 20 passwords were names (it happened that they were Spanish names, meaning the phishing attack likely targeted Spanish speaking-communities, but we can take from it that a lot of folks still use names as passwords.

Over 40% of the passwords only used lowercase characters.

19% only used numbers

Passwords are still a necessary evil. And for some folks, that email account may have represented a "throw away" type of email address, but I suspect for a lot of folks, they just didn't know better with respect to doing a better job with passwords. Microsoft has published some good guidance to help with picking relatively strong passwords, and it's not hard to do. As for me? I like long passwords that are based on phrases that make sense to me with mixed case, special characters, and numeric characters as well. I know I'm paranoid about that stuff, but I have found that when I do that, it's not that difficult. In a lot of cases I just let my password vault generate a random password and use that for a given web site. But if it's somewhere that I'm going to need to log onto and I suspect I won't have my password vault, I'll follow my own algorithm. Here's how I might go about picking a password:

I can think of something related to the site or the activity. For instance, for SQL Server Central, I might think about something related to SQL Server. Let's go with, "I'm glad I'm not on SQL Server 6.5!"

I can use that as a starting point for a passphrase (when you use a phrase for the password): I'mgladI'mnotonSQLServer6.5!

We already have mixed case, numeric, and special characters in that passprase. But we could make still make it more complex.

Let's substitute the "o" character with the "#" character. That's not a standard substitution. That leaves us with: I'mgladI'mn#t#nSQLServer6.5!

And we're left with a 28 character password that has mixed case, numeric, and special characters. One that should be relatively easy to remember.

Now, if you didn't want to have to type 28 characters, you could shorten it to just the first characters (remember we've substituted the "o" with "#"), leaving the numbers intact: IgIn#SS6.5!

And you're still left with an 11 character mixed cased, numeric, special character password that should hopefully be easy to remember.

And on a side note, no, that's not my SQL Server Central password. While I can think of something related to the site or activity, I tend not to. I tend to think of something that usually makes no sense at all except to me and build from there. For instance, maybe something happened on SSC in the forums once that reminded me of Yosemite Sam. There hasn't been, to my knowledge, but if there had been, that may be what I initially derive my password from. If you know me and you know the site, you may assume I may connect something related, and you begin your attempts to brute force a password of mine, you're already going down the wrong path. So why do I recommend that folks start with something related? Because for folks who aren't used to generating "complex" passwords, it gives them a starting point which, if they follow the rules, the ending point will be so ambiguous that it doesn't matter much. Me? I'm just paranoid like that.